Railway

Live audit of your Railway project — public-database exposure, healthcheck coverage, env-group safety. Catches the deploy-side misconfigurations a repo scan can't reach.

Available on the Studio tier. Read-only API token — we never modify services, env vars, or deployments.

Why this matters

Railway makes it trivially easy to expose a Postgres on a public TCP proxy — the dashboard offers it as a checkbox, and plenty of AI-built apps land with the box ticked because it unblocks local connection from a developer’s machine. The same project usually shares an env group across prod and a preview service, which propagates production secrets into the preview environment. Neither pattern is visible in the repo.

Connect Railway

01

Mint a Railway API token.

Railway Dashboard → Account Settings TokensCreate token. Name it “PulseLight read-only.” Token-level scoping isn’t available in Railway’s UI; the token has read+write on the team. We commit in code to read-only calls.

02

Paste into PulseLight.

From the project page, click the gear icon → Connected platformsRailway. Paste the token. We probe the API once to confirm the token works and report the team / project list back to you.

03

First scan.

The next scan includes the Railway Connected Check findings alongside repo findings — rolled up into the Secure and Stable pillars.

What we verify

  • Database on public TCP proxy — CONN-RAILWAY-EXPOSE-001

    We list your project’s database services and flag any with the public TCP proxy enabled. A Postgres / MySQL / Redis exposed on a public hostname is reachable by anyone who guesses the connection string — far more common in the wild than founders expect.

  • Healthcheck configured — CONN-RAILWAY-HEALTH-001

    Each public web service should declare a healthcheck path so Railway can detect crashed deploys and route traffic away. We flag services running on PORT with no healthcheck — the deploy will appear healthy as long as the container is alive, even if the app returned 500 for the last hour.

  • Shared env group across prod + non-prod — CONN-RAILWAY-ENV-001

    Railway’s env groups let multiple services share a set of variables. We flag groups attached to both production and a preview / staging service — the same secret value ends up in both environments, and the lower-trust environment becomes the soft underbelly.

Privacy + scope

Your token is encrypted at rest with KMS envelope encryption and decrypted only at scan time. We read service config, domain config, and env-group attachment metadata only. We never read env-var values, never trigger deploys, never modify any resource. Revoke the token in Railway’s dashboard at any time; the next scan reports the integration as revoked.